EA-7/05 - EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits

Transcription

1 Publication Reference EA-7/05 EA Guidance on the Application of ISO/IEC 17021:2006 for Combined Audits PURPOSE This document has been prepared by a task force under the direction of the European Cooperation for Accreditation (EA) Certification Committee to harmonise generic principles according to which combined audits of management systems should be conducted (whatever the combination). October 2008 rev 00 Page 1 of 15

2 Authorship The publication has been written by a task force of the EA Certification Committee. Official language The text may be translated into other languages as required. The English language version remains the definitive version. Copyright The copyright of this text is held by EA. The text should not be copied for resale. Further information For further information about this publication, you should contact your national member of EA or the Chairman of the Certification Committee. Please check our website for up-to-date information Category 2 EA MLA support documents Date of approval: 25 October 2008 Date of implementation: 25 October 2009 Transitional period: October 2008 rev 00 Page 2 of 15

3 Foreword This document has been prepared by a task force under the direction of the European Cooperation for Accreditation (EA) Certification Committee to harmonise generic principles according to which combined audits of management systems should be conducted (whatever the combination). The working group consisted of representatives from European Accreditation Bodies and stake holders representing accredited certification bodies for management systems. The document has been structured as ISO/IEC 17021:2006. The term shall is used throughout this document to indicate those provisions which, reflecting the requirements of ISO/IEC 17021:2006 are mandatory. The term should is used to indicate guidance which, although not mandatory, is provided as a recognised means of meeting the requirements. October 2008 rev 00 Page 3 of 15

4 CONTENTS INTRODUCTION SCOPE NORMATIVE REFERENCES TERMS AND DEFINITIONS PRINCIPLES GENERAL REQUIREMENTS STRUCTURAL REQUIREMENTS RESSOURCE REQUIREMENTS INFORMATION REQUIREMENTS Publicly accessible information Certification documents Directory of certified clients Reference to certification and use of marks Confidentiality Information exchange between a certification body and its clients PROCESS REQUIREMENTS General requirements Initial audit and certification Surveillance activities Recertification Special audits Suspending, withdrawing or reducing the scope of certification Appeals Complaints Records of applicants and clients MANAGEMENT SYSTEM REQUIREMENTS FOR CERTIFICATION BODIES ANNEX 1 REDUCTION OF TIME ANNEX 2 EXAMPLE: AUDIT OF INTERNAL AUDIT October 2008 rev 00 Page 4 of 15

5 INTRODUCTION This document provides guidance on the application of ISO/IEC 17021:2006 for the planning and delivery of combined audits. All clauses of ISO/IEC 17021:2006 continue to apply and this guidance does not supersede any of the requirements in that standard. The aim of this document is to establish guidance for the combined audit and, if appropriate, the certification of an organisations management system(s) against two or more sets of audit criteria. The term shall is used throughout this document to indicate those provisions which, reflecting the requirements of ISO/IEC 17021:2006, are mandatory. The term should is used to indicate guidance which, although not mandatory, is provided by EA as a recognized means of meeting the requirements. Certification bodies that performs combined audits and do not follow the EA Guidance in any respect will only be eligible to refer to accreditation on certificates as a result of a combined audit if they can demonstrate to the accreditation body that their solutions meet the relevant clause of ISO/IEC 17021:2006 in an equivalent way. It should be noted that the annexes at the rear of this document are also part of the guidance given and should be read as such. 1. SCOPE EA Guidance to clause 1 This guidance document is focusing on the situation of a combined audit covering management system standards which address different organizational risks (e.g. quality, environmental, safety, security etc). There are situations where one standard (e.g. TL 9000, AS/EN 9100 etc) totally incorporates the requirements of another (i.e. ISO 9001). For this situation, when conducting an audit against one standard (e.g TL, AS) it is also possible to issue certification to ISO 9001 (provided scope is the same) solely on the basis of the TL or AS audit. G and Annex 1 is not developed to address this situation. 2. NORMATIVE REFERENCES EA Guidance to clause TERMS AND DEFINITIONS EA Guidance to clause 3 G.3.1 The following definitions apply to the EA Guidance in this document Combined audit: A combined audit is an audit of an organization s management system (s) against 2 or more sets of audit criteria/standards conducted at the same time. Integrated management system (IMS): For the purposes of this document, an IMS results when an organization uses one single management system to manage multiple aspects of organizational performance, to meet the requirements of more than one management system standard. Note 1: Management systems can appear in different levels of integration. See Annex 1. October 2008 rev 00 Page 5 of 15

6 Note 2: For the purposes of this document audit criteria is intended to mean management system standards used as a basis for conformity assessment and certification (e.g. ISO 9001, ISO 14001, ISO etc) 4. PRINCIPLES EA Guidance to clause 4 5. GENERAL REQUIREMENTS EA Guidance to clause 5 6. STRUCTURAL REQUIREMENTS EA Guidance to clause 6 7. RESSOURCE REQUIREMENTS EA Guidance to clause 7 8. INFORMATION REQUIREMENTS 8.1 Publicly accessible information EA Guidance to clause 8.1 G This information shall include details about its process for conducting combined audits. 8.2 Certification documents EA Guidance to clause 8.2 G Certification documents issued as a result of a combined audit should be issued as: One single certificate which should reference all management system standards covered by the combined audit ( see Note) and/or Separate certificates for each management system standard. Note: In situations where withdrawal of certification is restricted to a specific management system standard only, the certificate should be re-issued for the other standards that have not been affected. October 2008 rev 00 Page 6 of 15

7 G b) and c) If certification cycles are not harmonised for the individual management system standards covered by the combined certificate, then all applicable certification issue and expiry dates shall be shown on the certification documents. The expiry date of the combined certificate shall be the earliest of the individual expiry dates. 8.3 Directory of certified clients EA Guidance to clause Reference to certification and use of marks EA Guidance to clause Confidentiality EA Guidance to clause Information exchange between a certification body and its clients EA Guidance to clause PROCESS REQUIREMENTS 9.1 General requirements EA Guidance to clause 9.1 G The audit plan shall ensure that -All areas and activities applicable to each management system standard covered by the scope of the visit are assessed by appropriate competent auditors. - Sufficient time is allocated to accomplish a complete and effective audit of the client s management system(s) for the management system standards covered by the scope of the audit. G The audit team as a whole shall satisfy the competence requirements for each technical area as relevant for each certification scheme covered by the scope of the combined audit. In cases where the audit team leader does not have the competence required to audit all management system standards covered by the combined audit, individual team members shall be appointed as the `lead for each applicable standard and be responsible for any related recommendations that fall outside the competence of the audit team leader. G To determine the audit time for a combined audit covering two or more management system standards, e.g. A + B + C, the certification body shall October 2008 rev 00 Page 7 of 15

8 calculate the required audit time for each management system standard separately (applying all relevant factors provided for by the applicable accreditation guidance and / or scheme rules for each standard) calculate the starting point T for the duration of the combined audit by adding the sum of the individual parts (e.g. T = A + B + C) where appropriate, adjust the starting point figure by taking into account factors that may reduce (see annex 1) or increase the time required for the combined audit. These factors should include but not be limited to: o The availability and use of multi-discipline auditors. o The extent to which the organisations management system is integrated. o The ability of the organisations personnel to respond to questions concerning more than one management systems standard.. o The planning of the audit takes into account effective use of auditor time. o The complexity of combined audits compared with single management system audits. Inform the client that combined audit durations which have been based on declared levels of system integration that are subsequently found to be invalid, will be subject to adjustment. Note: Reference G refers It is unlikely that the sum of all adjustments made for a given organisation, considering all factors, would reduce the time required for a combined audit by more than 20% from the starting point figure above. The starting point figure and justification for reduction shall be documented. Combined audits of non integrated management systems (although conducted at the same time) should not qualify for any time reduction. G Existing (accreditation) guidance relating to each management system standard needs to be considered when developing a sampling plan for the combined audit. G All applicable elements of each management system standard relevant to the scope of the combined audit visit shall be adequately assessed. For example, when conducting a combined audit of an integrated management system covering Quality, Safety and Environmental, it would be unacceptable to verify the effectiveness of the system for corrective action by only auditing samples relevant to say Quality. In some areas of the audit programme it should be appropriate for auditors to audit aspects of a management system standard for which they are not formally qualified as auditor or lead auditor. The following are examples of where this should be appropriate; Areas where the requirements of the management system standards and the technical knowledge to undertake the audit is common. E.g. Control of documents. Areas where the auditor should verify compliance with requirements which are administrative in nature see Annex 2, Example for Internal Audits Confirmation of evidence / close out of an audit trail. October 2008 rev 00 Page 8 of 15

9 o During an audit it is often necessary to follow up and confirm that an element of objective evidence exists within the company records and/or processes. This confirmation can be in the form of a closed question and is often used to close out audit trails that have been raised. A typical example may be that following the quality management system audit of a design department, confirmation is required that a particular clause is referenced on a purchase order for certain product types. This confirmation of evidence should be undertaken by any auditor. It should be noted that any audit of the technical consequences of the evidence not being available must be made by an auditor competent for the relevant management system standard. In general, delegation opportunities are restricted to the administrative rather than the management of processes. They should only be undertaken following an appropriate briefing from the lead auditor qualified for the specific management system standard. Findings should be reported back to the lead auditor who will decide what, if any, further action is to be taken and review and agree the report to the client. Audit tasks relating to the technical aspects of processes (e.g. their management, controls, capability and effectiveness) which demand specific technical competence in relation to the audit criteria shall not be delegated to auditors who are not competent for the technical area as relevant for each certification scheme. G See guidance to G Audit reports produced as a result of a combined audit should be issued as a combined report (in which findings relating to all management system standards covered by the combined audit are included in one common report) or as separate reports. Each finding raised in a combined report shall be traceable to each applicable management system standard(s). Separate nonconformities should be raised for each management system standard unless specific findings are applicable to the requirements of more than one standard. The certification body should consider the impact that a nonconformity found for one of the system standards has on the compliance of the management system(s) with the other standards. G This analysis and description shall be done for each nonconformity taking account of the requirements of each management system standard. G The person(s) that determine that the corrections and corrective actions are acceptable shall be competent for each of the management system standard(s) covered by the nonconformity. 9.2 Initial audit and certification Application EA Guidance to clause G For combined audits this information should include information relating to a) the level of integration (see annex 1) of the organisation's management system(s) and b) the ability of the organisations personnel (at the time of the audit) to respond to questions relating to each management system standard covered by the combined audit. October 2008 rev 00 Page 9 of 15

10 Organisations choose different approaches to how they manage the various aspects of their business performance (e.g. quality, health and safety or environmental), from totally separate to partially integrated to fully integrated management systems. The extent to which a system is integrated is a factor which will influence the time required to conduct a combined audit Application review EA Guidance to clause G When conducting this review the certification body shall take into account any additional activities (restrictions) related to the management system standards to be covered by the combined audit (e.g. specific sector scheme requirements). G See guidance for Initial certification audit EA Guidance to clause G d) For combined audits the information collected during the Stage 1 visit should include information relating to a) the level of integration of the organisation's management system(s) and b) the ability of the organisations personnel to respond to questions relating to each management system standard - in order to verify the information obtained and decisions made at the Application Review (see and 9.2.2) G e) The certification body shall review and modify as necessary the audit duration that was based on a level of system integration which was confirmed during the stage 1 audit. Confirm if the level of integration coincides with the level declared by the client. G See guidance for Initial certification audit conclusions EA Guidance to clause Information for granting initial certification EA Guidance to clause Surveillance activities EA Guidance to clause 9.3 G 9.3 See guidance for October 2008 rev 00 Page 10 of 15

11 9.4 Recertification EA Guidance to clause 9.4 G 9.4 See guidance for 9.1.2, and Special audits EA Guidance to clause Suspending, withdrawing or reducing the scope of certification EA Guidance to clause 9.6 G 9.6 If one management system standard is affected by suspension or withdrawal the certification body shall investigate if the other management system standards and the certificate(s) are affected, too. 9.7 Appeals EA Guidance to clause Complaints EA Guidance to clause Records of applicants and clients EA Guidance to clause MANAGEMENT SYSTEM REQUIREMENTS FOR CERTIFICATION BODIES EA Guidance to clause 10 October 2008 rev 00 Page 11 of 15

12 ANNEX 1 REDUCTION OF TIME Figure Level of integration % Ability to perform combined audit % Figure 1: This figure illustrates the reduction (%) in combined audit duration and its relationship to: Vertical axis, the level of integration of an organisations management system (see below) (which should include a consideration of the auditees ability to respond to multi-aspect questions); and Horizontal axis, the extent to which individual audit team members are qualified for more than one management system standard covered by the combined audit (i.e. multi-skilled) calculated using the following formula: 100 ((X 1-1)+ (X 2-1)+ (X 3-1)+ (X n -1)) Z(Y-1) Where X 1,2,3 n is the number of standards for which auditor n is qualified relevant for the scope of the combined audit; Y is the number of management system standards to be covered by combined audit; Z is the number of auditors. October 2008 rev 00 Page 12 of 15

13 Example: A combined audit team of 3 auditors covering three different management system standards. One auditor is qualified for all three standards; one auditor is qualified for two of the standards and the other auditor is qualified for one standard. The percentage figure to be used for the horizontal axis is: 100 ((3-1) + (2-1) + (1-1)) = 50 % 3(3-1) Level of integration An integrated management system results when an organization uses one single management system to manage multiple aspects of organizational performance. It is characterised by: 1. Management Reviews that consider the overall business strategy and plan. 2. An integrated approach to internal audits. 3. An integrated approach to policy and objectives. 4. An integrated approach to systems processes. 5. An integrated documentation set including work instructions, to a good level of development as appropriate. 6. An integrated approach to improvement mechanisms, (Corrective and Preventive Action; measurements and Continual Improvement). 7. An integrated approach to planning, with good use of business wide risk management approaches. 8. Unified management support and responsibilities. The certification body must decide the percentage level of integration based upon the extent to which the organisations management system meets the above criteria. October 2008 rev 00 Page 13 of 15

14 ANNEX 2 EXAMPLE: AUDIT OF INTERNAL AUDIT Consider the audit of internal audit when conducting a combined audit visit covering Q (ISO 9001), S (OHSAS 18001) and E (ISO 14001) of a typical manufacturing plant. There are some common requirements of all three standards for internal audit. These are almost entirely administrative relating to the existence of programmes and plans, reporting and follow up activities. However, there are different bases for the determination of audit frequency and duration. From the quality perspective there will be no requirement to audit the waste water treatment plant or solid waste disposal but these will feature prominently in an ISO based programme and should be included in the health & safety programme depending on the type of processes and activities in the plant. Conversely an assembly operation in an electronics plant has (should have) many quality and health & safety issues but should have relatively few environmental issues. The audit programme needs to reflect the relative risks to the environment and risks to health and safety as well as the significance to quality. Therefore, the internal audit programme and plan should be reviewed by certification body auditor(s) competent for each management system standard. Competence of the organisations internal auditors should be defined in terms of basic audit process, technical and regulatory knowledge and knowledge of the activities being audited. It is rare to find truly multi-skilled internal auditors and so the deployment by the organisation of internal auditors with the right competence should also be assessed by certification body auditors qualified for each management system standard covered by the combined audit. For this example the certification body auditor should ask three main questions: Auditor question Combined systems Auditor competence Is the internal audit programme effectively designed? Is the internal audit programme being implemented in accordance with procedures? Is it effective? The certification body audit team needs to confirm that the Quality, Environmental and Health & Safety components of the programme are weighted according to the status and importance of the processes and areas to be audited, the environmental risks and the health & safety risks and results of previous audits This would be a confirmation that trained internal auditors conduct audits against the plan and follow procedures The certification body audit team need to evaluate the competence of internal auditors, the relevance of findings and the appropriateness of the corrective actions. The certification body audit team needs to review the audit programme to consider whether it is appropriate and sufficient for each management system standard. This should only be done by auditor(s) competent for each management system standard covered by the combined audit. Any CB auditor may assess the administrative components of internal audit This should only be done by auditor(s) competent for each management system standard covered by the combined audit. October 2008 rev 00 Page 14 of 15

15 Conclusion Audit of the internal audit programme and plan to assess that the frequency and duration of audits has been established on the basis of risk and that competent internal auditors have been assigned should only be done by CB auditors competent for each management system standard covered by the combined audit Sampling and audit of relevant internal audit reports to confirm the effectiveness (by audit of content and comparison with their own observations) of the internal audit programme should only be conducted by CB auditors qualified for each management system standard covered by the combined audit; Any CB auditor should verify the administrative aspects of internal audit such as; the existence of a documented procedure; the existence of an audit programme; scheduling and conduct of audits as per programme, reporting, follow up and close out of internal audits as per documented procedure. However review of the organisations corrective actions for effectiveness should be conducted by an auditor competent for the respective standard. October 2008 rev 00 Page 15 of 15